СхареПоинт Безбедност Основи Прајмер / Избегавајте уобичајене замке

УПДАТЕ 12/18/07: Погледајте Пола Лиебранд је чланак за неке техничке последица уклањања или мењања подразумеваних имена групе (види свој коментар испод, као и).

Преглед:

SharePoint security is easy to configure and manage. Међутим, it has proven to be difficult for some first-time administrators to really wrap their hands around it. Not only that, I have seen some administrators come to a perfect understanding on Monday only to have lost it by Friday because they didn’t have to do any configuration in the intervening time. (Признајем да имају овај проблем сам). This blog entry hopefully provides a useful SharePoint security primer and points towards some security configuration best practices.

Важна напомена:

This description is based on out of the box SharePoint security. My personal experience is oriented around MOSS so there may be some MOSS specific stuff here, but I believe it’s accurate for WSS. I hope that anyone seeing any errors or omissions will point that out in comments or пошаљи ми. I’ll make corrections post haste.

Основи:

За потребе овог прегледа, постоје четири основна аспекта безбедности: Корисници / групе, сецурабле објекти, нивое дозвола и наслеђивање.

Корисници и групе разбити на:

  • Појединачни корисници: Повукао из активног директоријума или створио директно у СхареПоинт.
  • Групе: Mapped directly from active directory or created in SharePoint. Groups are a collection of users. Groups are global in a site collection. They are never "tied" на одређени сецурабле објекта.

Сецурабле објекти разбити на најмање:

  • Сајтови
  • Библиотеке докумената
  • Појединачне ставке у листама и библиотекама докумената
  • Фолдери
  • Разни БДЦ подешавања.

Постоје други објекти сецурабле, али добијате слику.

Нивое дозвола: Скуп зрнастог / low level access rights that include such things as create/read/delete entries in lists.

Наслеђе: By default entities inherit security settings from their containing object. Sub-sites inherit permission from their parent. Document libraries inherit from their site. So on and so forth.

Корисници и групе односе се на објекте преко сецурабле нивоима дозвола и наслеђа.

Најважнијих безбедносних правила да би се схватило, евер 🙂 :

  1. Групе су једноставно колекције корисника.
  2. Групе су глобални унутар колекције локација (и.е. не постоји таква ствар као што је група дефинисана на нивоу локације).
  3. Назив групе не издржи, група не, у себе и, have any particular level of security.
  4. Groups have security in the context of a specific securable object.
  5. Можете да доделите различите нивое дозвола у истој групи за сваки објекат сецурабле.
  6. Веб апликација политика адут све ово (види доле).

Безбедносне администратори изгубљени у мору групе и корисничке уносе могу увек ослонити на ових аксиома да управљају и разумели своју безбедносну конфигурацију.

Уобичајене замке:

  • Група имена лажно имплицира дозволу: Оут оф тхе бок, SharePoint defines a set of groups whose names imply an inherent level of security. Consider the group "Contributor". One unfamiliar with SharePoint security may well look at that name and assume that any member of that group can "contribute" to any site/list/library in the portal. That may be true but not because the group’s name happens to be "contributor". This is only true out of the box because the group has been provided a permission level that enables them to add/edit/delete content at the root site. Through inheritance, the "contributors" group may also add/edit/delete content at every sub-site. One can "break" the inheritance chain and change the permission level of a sub-site such that members of the so-called "Contributor" група не може да допринесе уопште, али само чита (на пример). This would not be a good idea, очигледно, јер би било веома збуњујуће.
  • Групе нису дефинисани на нивоу локације. It’s easy to be confused by the user interface. Microsoft provides a convenient link to user/group management via every site’s "People and Groups" веза. It’s easy to believe that when I’m at site "xyzzy" and I create a group through xyzzy’s People and Groups link that I’ve just created a group that only exists at xyzzy. That is not the case. I’ve actually created a group for the whole site collection.
  • Групе чланство не зависе од локације (и.е. она је свуда иста група се користи): Consider the group "Owner" и две локације, "HR" and "Logistics". It would be normal to think that two separate individuals would own those sites — an HR owner and a Logistics owner. The user interface makes it easy for a security administrator to mishandle this scenario. If I didn’t know better, Можда ћу приступ људи и група линкова преко ХР сајту, select the "Owners" group and add my HR owner to that group. A month later, Logistics comes on line. I access People and Groups from the Logistics site, add pull up the "Owners" group. I see the HR owner there and remove her, thinking that I’m removing her from Owners at the Logistics site. Заправо, I’m removing her from the global Owners group. Hilarity ensues.
  • Неуспех да именује групе на основу специфичне улоге: The "Approvers" group is a perfect example. What can members of this group approve? Where can they approve it? Do I really want people Logistics department to be able to approve HR documents? Of course not. Always name groups based on their role within the organization. This will reduce the risk that the group is assigned an inappropriate permission level for a particular securable object. Name groups based on their intended role. In the previous HR/Logistics scenario, Требао сам створио две нове групе: "HR Owners" and "Logistics Owners" и доделите разумне нивое дозвола за сваког и минималног износа потребног за оним корисницима да раде свој посао.

Остале Корисни Референце:

Уколико сте направили овај је далеко:

Please let me know your thoughts via the comments or email me. If you know other good references, молим те исти!

Тецхнорати Тагс:

8 мисли о "СхареПоинт Безбедност Основи Прајмер / Избегавајте уобичајене замке

  1. Крушковача

    More pitfalls:

    * There are certain special permissions available elsewhere in the SSP and not visible in the People and Groups section: "Personalization services permissions"and "Business Data Catalog permissions"

    * I have read that there are also special SharePoint Designer permissions available in some arcane xml buried inside html somewhere.

    * The Primary and Secondary Administrators for a Site Collection are kept elsewhere in Site Collection settings, and are not visible in the People and Groups section.

    * Certain accounts have magical (посебан) abilities regardless of what you see in the People and Groups area: members of the built-in Administrators group on the web servers, and the Farm Service Account.

    (ПС: Deleting the spam comments would improve legibility here.)

  2. Jean Wright
    This is a very good post. I have fallen into this trap on a few occasions. Security management can get complex when you begin mixing authentication methods and different security grouping methods. This needs to be considered as part of the planning process and should not be overlooked.
  3. Марк Миллер написао:
    (Note from Paul: Mark asked me to make a small change to his comment but I can’t edit live spaces comments so I’ve added it anew here with the change and deleted the original).
    Павле,
    The summary approach for presenting this info came off very well. I especially liked the "Pitfalls" одељак, since I’ve fallen into a few of those myself.
    Another thing you said hit home: learning on Monday doesn’t not necessarily mean you’ll remember it on Friday. I’m glad someone besides me is using their blog as a "tickler" system for those critical things that are not done on a regular basis.
    Good work.
    Поздрав,
    Марк
    ЕндУсерСхареПоинт.цом

    Новембар 27 9:04 АМ
    (http://www.EndUserSharePoint.com)

  4. Паул Галвин
    I think it’s probably a good idea to remove those default groups, especially Contributor and Owner. They are overbroad and easily confused. I prefer to use "All Authenticated Users" in place of a "Visitor" group as well. If a specific set of users should only read-only access then I’d recommend creating an AD group or SharePoint group with an appropriately descriptive name, e.g. "Logistics Visitors".
    –Паул Г

Леаве а Репли

Ваша емаил адреса неће бити објављена. Обавезна поља су означена *